Weighing Pros, Cons of Cloud Computing SecurityNIST Scientists Raise Questions, Now Seek Answers
The presentation, Effectively and Securely Using the Cloud Computing Paradigm, is not intended to provide official NIST guidance or policy but is presented to engage government IT managers in a discussion on the benefits and security challenges of cloud computing.
"Cloud computing is a convergence of many technologies (and) some have their own standards," the presentation states. "This convergence combined with massively scaled deployments represents leap-ahead capabilities."
Among the potential cloud computing benefits identified by the computer scientists: dedicated security teams, greater infrastructure security, reduction in certification and accreditation activities, simplifying compliance analysis, low-cost disaster recovery and rapid reconstitution of services.
The information security challenges they identified included conflicts with existing data dispersal and international privacy laws, data ownership, service guarantees, securing virtual machines, massive outages and encryption needs.
Other concerns the NIST computer scientists raised included moving personal identifiable information and sensitive data to the cloud, using service-level agreements to obtain cloud security, contingency planning and disaster recovery for cloud implementations and handling compliance.
"So where are we?" the NIST scientists asked in their presentation. "Today, cloud standards don't exist. Grid computing has many standards but isn't the same model. SOA/WE (service-oriented architecture/web services) has standards but this only applies to the applications running on the cloud. Standards will be vital to achieve success. ... (You) can't standardize what you can't define."
And, defining definitions and models related to cloud computing and its security is what NIST intends to do. By early fall, NIST intends to publish special publications that address the problems cloud computing solves, the technical characteristics of cloud computing and how best to leverage cloud computing and obtain security.